Announcement Announcement Module
Collapse
No announcement yet.
WS-Security with Spring WS on both client and server side Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • WS-Security with Spring WS on both client and server side

    I'm trying to implement a service and a client that use WS Security with signing and x509v3 certificates. Using the WebServiceTemplate and the example code on Tareq's blog I was able to sign and secure the outgoing message on the client side. However, I get the following exception and fault message from the server:

    (specific class names, URL's and namespaces censored for security reasons)
    Code:
    2007-08-24 15:42:51,325 DEBUG [org.springframework.ws.client.core.WebServiceTemplate] - <Received Fault message for request [SaajSoapMessage  {(namespace)}endpoint ]>
    org.springframework.ws.soap.client.SoapFaultClientException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Canonicalizer for: http://www.w3.org/TR/2001/REC-xml-c14n-20010315: Unknown canonicalizer. No handler installed for URI http://www.w3.org/TR/2001/REC-xml-c14n-20010315; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Canonicalizer for: http://www.w3.org/TR/2001/REC-xml-c14n-20010315: Unknown canonicalizer. No handler installed for URI http://www.w3.org/TR/2001/REC-xml-c14n-20010315
    	at org.springframework.ws.soap.client.core.SoapFaultMessageResolver.resolveFault(SoapFaultMessageResolver.java:37)
    	at org.springframework.ws.client.core.WebServiceTemplate.handleFault(WebServiceTemplate.java:521)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:404)
    	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:350)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:296)
    	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:287)
    	at 
    Client.echo(Client.java:66)
    	at 
    Client.main(Client.java:170)
    I've searched the web and several forums but haven't come across any issues that seem related.

    The message that is sent by the client is as follows:
    Code:
    2007-aug-24 15:42:50 com.sun.xml.wss.impl.filter.DumpFilter process
    INFO: ==== Sending Message Start ====
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
    <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-1187962969606-569478501">MIIC+DCCAmGgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCU0UxEjAQBgNVBAgT
    CVN0b2NraG9sbTESMBAGA1UEBxMJU3RvY2tob2xtMQ8wDQYDVQQKEwZBdmFuemExFjAUBgNVBAsT
    DUlUIFV0dmVja2xpbmcxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEnMCUGCSqGSIb3
    DQEJARYYZXJpay5tYWdudXNzb25AYXZhbnphLnNlMB4XDTA3MDcxMDAwMDM1NVoXDTA4MDcwOTAw
    MDM1NVowXzELMAkGA1UEBhMCU0UxEjAQBgNVBAgTCVN0b2NraG9sbTEPMA0GA1UEChMGQXZhbnph
    MRYwFAYDVQQLEw1JVCBVdHZlY2tsaW5nMRMwEQYDVQQDEwpzc2VrY2xpZW50MIGfMA0GCSqGSIb3
    DQEBAQUAA4GNADCBiQKBgQCcbXBVgYJf5bEHNLEvgB4HavVKzOqpiZX1iEGn+z3pI/E1DL9RVbjW
    CemFAk5mrZdKufv4H6Oh2cOEw5OhjBtF+Ccb3jvSNc0Jja6LyWddOWrbaLl7u7wT6v1pB8A9CiXt
    EGu6MrmjYUvDuIyJck7CCal1Z35hj5oDxn7PEwMIHQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
    SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUw6GtFfeb
    QqlhMWx7zEOQHf50cEowHwYDVR0jBBgwFoAUH2rnNR3AXhFneNI8l0Cjk3rlg6AwDQYJKoZIhvcN
    AQEFBQADgYEAXVscAAD/ddJSgzPsO2EtU9cMJrTnoQEBvRY9JLqVx/zrX0aybC/WGmeJlNRJBhOC
    XT7k/EnxfAqtXvUOuLbuw2a+rCahCZDRPEUMRHtQ8hV10dyIPeR1olUy7ZDb0ou0aYb823/uYQ09
    EDcTTBg5b8bavXlq1ABmGNpGo7mK7zw=</wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <ds:Reference URI="#XWSSGID-11879629700281289441116">
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>4pGlrXI4kjDbh/dJCVxpLp1MEMw=</ds:DigestValue>
    </ds:Reference>
    <ds:Reference URI="#XWSSGID-11879629700281010617963">
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <ds:DigestValue>cjKcC8Zn/XsIHqwoNBjZpQUXE6A=</ds:DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>SBJYrjq6R7FD2OPg+JrmtdsCyJ+Pp5LvKSzScZ6jVeFDfqCOu1wTjeJDFbRYso+IN+BrXGd2biv3
    zA92gQ3l+szJCOJHigYkMAS9iAJqD4bFU+15Xfae4LWXrD6VirBRlITwoKNJk5of1l2g/8zwRSKv
    sGMxaaWUg7KYq1EKhpU=</ds:SignatureValue>
    <ds:KeyInfo>
    <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1187962970012-1745419003">
    <wsse:Reference URI="#XWSSGID-1187962969606-569478501" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11879629700281010617963">
    <wsu:Created>2007-08-24T13:42:49Z</wsu:Created>
    <wsu:Expires>2007-08-24T13:42:54Z</wsu:Expires>
    </wsu:Timestamp>
    </wsse:Security>
    </SOAP-ENV:Header>
    <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11879629700281289441116">
    <!-- (soap body omitted) -->
    </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    ==== Sending Message End  ====

    My XWSS configuration files are as follows:
    Client-side:
    Code:
    <xwss:SecurityConfiguration dumpMessages="true" xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:Sign id="signature">
    		<xwss:X509Token certificateAlias="client"/>
    	</xwss:Sign>
    </xwss:SecurityConfiguration>
    Server-side:
    Code:
    <xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
    	<xwss:RequireSignature requireTimestamp="true"/>
    </xwss:SecurityConfiguration>
    If any further code/config is required I'll gladly supply it!

    Thanks,
    Erik

  • #2
    Forgot to mention:
    I'm using Spring Web Services 1.0.0, JDK 1.6.0, and Resin 6.1.11 as a server.

    Comment


    • #3
      Seems like it is an XWSS issue, so you can ask on the https://xwss.dev.java.net/ site.

      Comment


      • #4
        Just a followup: the problem was caused by a conflict between the xmldsig.jar downloaded by Maven (I guess as a dependency for xwss-2.0) and the corresponding implementation in JRE 6. Removing the xmldsig.jar and just relying on JRE 6 solved the issue.

        Comment


        • #5
          I'm having another issue trying to get the certs work, I receive the following error when trying to sign the outgoing message:

          Code:
          Sep 8, 2007 5:13:17 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
          SEVERE: WSS0216: Callback Handler failed for SignatureKeyCallback.AliasPrivKeyCertRequest
          Sep 8, 2007 5:13:17 PM com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
          SEVERE: WSS0217: Exception in Callback Handler handle()
          java.lang.NullPointerException
          	at com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getAliasPrivKeyCertRequest(DefaultSecurityEnvironmentImpl.java:205)
          	at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:146)
          	at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:64)
          	at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:218)
          	at com.sun.xml.wss.impl.SecurityAnnotator.processMessagePolicy(SecurityAnnotator.java:143)
          	at com.sun.xml.wss.impl.SecurityAnnotator.secureMessage(SecurityAnnotator.java:118)
          	at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.secureOutboundMessage(XWSSProcessor2_0Impl.java:77)
          	at samples.ws.ads.ADSClient$1.doWithMessage(ADSClient.java:75)
          	at org.springframework.ws.client.core.WebServiceTemplate$4.doWithMessage(WebServiceTemplate.java:354)
          	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:395)
          	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:350)
          	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:296)
          	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:287)
          Any ideas here? Maybe I'm not wiring up the actual keystore properly?

          Thanks for any response!

          Comment


          • #6
            Nullpointer exception

            You need to set the default private key alias on the KeyStoreCallbackHandler. I agree that dumping a nullpointer exception is not very helpful.

            BTW: I got your error with the signing as well but am forced to use JDK 1.5. Is there another way to get it solved which you know of?
            Last edited by vanwijngaarden; Sep 9th, 2007, 01:55 AM. Reason: typo

            Comment


            • #7
              Setting the default alias did not resolve the issue, I get the same error. [sigh] Does anyone have an example of how to wire up the xwsInterceptor and keystore to the actual client bean that implements WebServiceGatewaySupport?

              Comment


              • #8
                Client examples

                For your information I attached client example code: You may have forgotten to set the keystore callback handler for handling the key requests? This was not necessary in the original posting you referred since it used user authentication not signing.

                The bean file wiring for the attached source:

                <bean id="secureClient" class="XwssClient">
                <constructor-arg value="/WEB-INF/ws/client-policy.xml"/>
                <constructor-arg>
                <bean class="org...xwss.callback.KeyStoreCallbackHandler ">
                <property name="keyStore">
                <bean class="org...support.KeyStoreFactoryBean">
                <property name="location" value="/WEB-INF/ws/keystore.client"/>
                <property name="password" value="changeit"/>
                </bean>
                </property>
                <property name="defaultAlias" value="mykey"/>
                <property name="privateKeyPassword" value="mypassword"/>
                </bean>
                </constructor-arg>
                <property name="defaultUri" value="http://blabla.."/>
                ....
                <property name="marshaller" ref="marshaller"/>
                <property name="unmarshaller" ref="marshaller"/>
                </bean>

                Comment


                • #9
                  Attached client examples

                  And the Java code.

                  Comment


                  • #10
                    Thank you for the quick responses! I am able to sign the outgoing messages now using your example. Unfortunately it appears as though the web service I'm talking to only wants the BinarySecurityToken in the header and does not require or accept the ds:Signature elements. When I manually strip out the ds:Signature elements everything works fine.

                    Is there a way to configure this to work in spring using a wsse policy file? Specifically I just want only the BinarySecurityToken to be applied to the header of each outgoing message.

                    Thanks!

                    Comment


                    • #11
                      Policy

                      AFAIK XWSS doesn't support that. The reason is quite clear: why just send a certificate/public key to the other party without doing anything with it? This has no added value since the certificate is meant to be known by everyone and therefore doesn't add any security.

                      If I were you I would verify the exact requirements from the web service provider. Otherwise, you can just forget XWSS and always add the needed XML elements using Java code in the client callback. Since the information is always the same, this just means replacing the SOAP header with a SOAP header containing the binary security token.

                      Comment


                      • #12
                        I agree, it seems strange that they only request the BST. I have a call into the folks we are working with to resolve this. In the meantime, I use xwss to apply the security, then remove the unused Signature elements in the header on doWithMessage. This is just a temporary hack until we get the certs figured out.

                        Thanks for all your help!

                        Comment


                        • #13
                          Some troubles in attached sources

                          I used this beans definition to correct error:
                          Code:
                              <bean id="secureClient" class="XwssClient">
                          		<property name="helper" ref="secureClientHelper"/>
                          		<property name="defaultUri" value="bla-bla"/>
                          		<property name="marshaller" ref="marshaller"/>
                          		<property name="unmarshaller" ref="marshaller"/>
                          	</bean>
                              
                              
                              <bean id="secureClientHelper" class="XwssClientHelper">
                              	
                              	<constructor-arg value="securityPolicy.xml"/>
                          		<constructor-arg>
                          			<bean class="org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler">
                          				<property name="trustStore">
                          					<bean class="org.springframework.ws.soap.security.support.KeyStoreFactoryBean">
                          						<property name="location" value="/WEB-INF/test-keystore.jks"/>
                          						<property name="password" value="password"/>
                          					</bean>
                          				</property>
                          				<!--property name="defaultAlias" value="mykey"/-->
                          				<!--property name="privateKeyPassword" value="mypassword"/-->
                          			</bean>
                          		</constructor-arg>
                          		
                              </bean>
                          Last edited by 13th; Oct 29th, 2007, 09:17 AM.

                          Comment


                          • #14
                            Message does not conform to configured policy

                            I compiled your source successfully, but now i have another problem:
                            Code:
                            Creating SAAJ 1.3 MessageFactory with SOAP 1.1 Protocol
                            Loading key store from class path resource [test-keystore.jks]
                            Creating empty key store
                            Attention on third line.
                            And after that:
                            Code:
                            29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
                            SEVERE: WSS0216: Callback Handler failed for SignatureKeyCallback.AliasPrivKeyCertRequest
                            29.10.2007 16:12:15 com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl getAliasPrivKeyCertRequest
                            SEVERE: WSS0217: Exception in Callback Handler handle()
                            java.lang.NullPointerException
                            	at org.springframework.ws.soap.security.xwss.callback.KeyStoreCallbackHandler.getPrivateKey(KeyStoreCallbackHandler.java:440)
                            Is my keystore valid?
                            Last edited by 13th; Oct 29th, 2007, 09:16 AM.

                            Comment


                            • #15
                              How can I secure my web services!

                              I have a web service server and a web client invoke the service. And now i need to secure the communicate between them.

                              I want to sign in the SOAP message and Encrypt it.

                              I'm going to write a payment module, so i need to encrypt and sign all message outgoing and coming on.

                              Comment

                              Working...
                              X